I'll include as a comment my reply to an email from the reporter:
Hello,
Note that the Ubuntu security team considers fingerprints to be akin to
usernames, rather than passwords. They cannot be changed, they are left on
thousands of objects daily, and repeated demonstrations of sensors being
'fooled' by artificial constructions from photographs etc basically mean
fingerprints are not worth much as authentication tokens.
In the Main Inclusion Request review for fprintd and libfprint, we
included:
It's important to note that security team considers fingerprints to
be akin to usernames and not passwords. Any potential issues with
this tool will be treated with this threat model in mind.
-- https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1745455
Under this threat model, disclosure of a fingerprint is not a
vulnerability.
Perhaps the fprintd or libfprintd authors will see things differently,
but I suspect most security practitioners have decided that fingerprints
are identifiers, not authenticators.
Thanks
** Changed in: apparmor (Ubuntu)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822590
Title:
Found storing user fingerprints without encryption
To manage notifications about this bug go to:
https://bugs.launchpad.net/fprintd/+bug/1822590/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
